Sorry for the naïve question, but we have a total of about 7000 relays, many of them residential and thus practically unused or very lightly used. So the actual number of relays that carry most of the traffic is rather small, and many of them are middle relays, leaving an even smaller number of guard relays. This means that an adversary with a rather modest budget can easily take over half the guards.
Whats the trust mechanism (if any) to ensure that the majority of guards are not hijacked by adversaries?
Whats the trust mechanism (if any) to ensure that the majority of guards are not hijacked by adversaries?
See https://blog.torproject.org/blog/lifecycle-of-a-new-relay
* You need to wait around 70d to be a fully ready guard relay consuming all the possible bandwidth. * Any sybil attack will be discovered even before having the guard flag at all (8th day). * And you have to provide a lot of bandwidth to the network to be on the top quarter of relay to have the guard flag.
So it will be difficult for an attacker to hijack enough guard nodes to be really dangerous. Too costly (bandwidth), too long (70d) and too visible.
Remember too that your client use only few guards at each time and rotate them only each 4 to 8 weeks. So even if evil guard appear, you have to wait at least 4 weeks to be in danger if in danger at all (probability is low to peak an evil guard at the next rotation).
And last, even if you use an evil guard node, attacker need to control an other node (middle or exit) on one of your circuit to break anonymity.
So, evil guard nodes are not a big problem :)
Regards,
tor-relays@lists.torproject.org
-
Aeris -
Rana